• I. INTRODUCTION:

• 1. What is this Notice about? (scope of this Notice)
  

  With this data protection notice (hereinafter: “Notice”) we provide information on which personal data of those who visit, register or purchase on any of the following websites: http://www.eventim.hu, https://www.cts.eventim.hu/ we process, and about the purposes and methods of such data processing. Hereinafter we refer to such websites and any of their pages collectively as “Websites” and “Website” in case of any of them.
  
  The scope of the Notice does not apply to services and data processing activities of third parties (other than the Data Controller) advertising or appearing in any other way on the Websites with their promotions, games, services, campaigns or other published contents, including any link on any of the Website leading to such activities and contents. The data protection notices of the third party providing such services apply to such services, and the Data Controller does not undertake any liability for such data processing activities.

• 2. What data does qualify as personal data? (definition of personal data)
  

  Personal data means any information relating to an identified or identifiable individual (“Data Subject”). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

• 3. What does personal data processing mean? (definition of data processing)
  

  Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• 4. Who is the Data Controller? (contact details of the Data Controller)
  

  The above Websites are operated by CTS Eventim Hungary Kft. (seat: 1139 Budapest, Váci út 91/A 3.em.; company registration No.: Cg. 01-09-877903; represented by Mr. Gyula Kovácska managing director and Mr. Christoph Klinger managing director independently; contact information: dataprotection@eventim.hu); this company determines the purpose and means of the processing of personal data and therefore, this company is the Data Controller of the personal data (hereinafter: “Data Controller”).

• 5. Is there any other company that processes personal data on behalf of the Data Controller? (data processors)
  

  Yes, these companies are called data processors. This Notice lists the data processors involved in the data processing.

• 6. Who is responsible for the accuracy and lawfulness of the personal data submitted to the Websites? (credibility of personal data)
  

  The Data Controller does not check the personal data provided by the Data Subject, unless otherwise stated in this Notice; and the Data Subject is fully liable for the credibility of the personal data submitted by him or her. The Data Subject (visitor, buyer, user, complainant, etc.) warrants that he or she obtained the consent of the other Data Subject to the processing of all those personal data which such other Data Subject provided or gave access to him or her and which he or she submitted to the Website when visiting the Website or using the services provided by the Data Controller (for instance, when publishing content created by someone else or providing information on someone else). The Data Subject shall take full responsibility for the user content he or she uploads or shares on the Website or publishes in relation to the services provided by the Data Controller. When (e.g. in case of buying tickets, registration, making comments or complaints) the Data Subject provides data (e.g. user name, identification, password, etc.) he or she is liable that it is the Data Subject who uses the services by use of the e-mail address and any other data submitted by him. On the basis of this, the Data Subject who registered the e-mail address and provided other personal data on the Website shall be solely responsible for all actions related to the entries using that e-mail address and those personal data. The Data Controller excludes liability for any damage caused to the Data Subject due to the inaccuracy, lack or change of the personal data (i.e. name, e-mail address) provided by the Data Subject during the use of the services provided by the Data Controller or due to the disability of the Data Subject’s e-mail box to receive new messages.
  
  The personal data of the Data Subject under the age of 16 may only be collected and processed with the consent of an adult person exercising parental supervision vis-à-vis such Data Subject. The Data Controller is unable to check whether the person giving the consent to the data processing (usually the legal representative) is solely authorized to give consents to the data processing, and the Data Controller cannot review the content of the parental consent either. The legal representative of Data Subject warrants that the consent to the data processing complies with applicable laws. In case of the use of services or webshop of the Data Controller by a Data Subject who is under the age of 16 the Data Controller assumes that the appropriate consent of the legal representative has been provided.

• 7. What is the legislation behind personal data protection? (legislative background)
  

  The Data Controller especially took into consideration the following laws when creating this Notice: Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act No. CXII. of 2011 on Information Self- Determination and Freedom of Information (“Info Act”), Act No. V. of 2013 on the Civil Code (the “Civil Code”), Act No. CVIII. of 2001 on E-commerce Services (“E-commerce Act”), Act No. XLVIII. of 2008 on Advertising Activity (“Advertising Act”).




• II. ABOUT THE DATA PROCESSING

• II.1. FOR THE WEBSITE VISITORS:
  
  • 1. What kind of cookies are used on the Websites?
    
    On the Websites permanent, tracking and cookies related to one work session are used. The permanent cookies enable that the Websites remember the visitor visiting the Website more times, his or her settings and preferences. Cookies related to one work session help the Website recognize the visitor of the Website at the time of the visit even if the visitor of the Websites moves from page to page; but these cookies expire when the visitor leaves the Website.
    
    There are several types of cookies used on the Websites; we differentiate them based on their functions, as follows:
    • - Technical cookies:
      Use of technical cookies enables proper display and operation of the Websites, among others the login to the Websites or managing the purchase of tickets, and they are necessary for the proper display of the Websites.
    • - Functional cookies:
      Functional cookies enable tracking the browsing of the Websites and the preferences used during browsing; with the help of these, the Websites can remember among others to the registration data, the events checked by the visitor, the language preferences, etc.
    • - Analytical cookies:
      Analytical cookies enable tracking the behaviour of visitors of the Websites and as a result, based on the use and exploitage of the Website by the visitors, making it possible to develop the Website and to provide an even better user experience and to display more useful content. Googly Analytics is used on the Websites to analyze use of the Websites.
      If the visitor of the Website does not want his or her data concerning the use of the Websites (including the IP address) to be collected and processed by cookies, and he or she wishes to disable them, he or she may download and install the plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=hu.
    • - Google AdWords tracking cookies:
      On the Websites, information is obtained with the help of Google tracking cookies about the fact that the Website visitor reached the Website after seeing any of our advertisements displayed in the Google system or after clicking on it. Based on the information obtained through tracking cookies, statistics can be made about Website visitors who view or click on our advertisements. Based on content viewed on the Websites, Google is able to display targeted advertisements on the websites of other partners of Google.
    • - Facebook remarketing cookies:
      On the Websites we try to get in touch again with previous visitors of the Websites with the help of Facebook remarketing cookies, by showing them advertisement concerning our services. With the help of remarketing cookies, we try to reach those visitors with social media campaign, who have already visited the Websites at least once.
    • - Third party cookies:
      In connection with some functions on the Websites, third party services also appear (e.g. a link to the Facebook page of an artist), in particular regarding social media sites (e.g. Facebook, Google+ or Twitter), which may contain third party cookies. The regulation of the use of such third party cookies is not covered by the regulations of the Data Controller; in this regard please see the regulations of third parties. Point II.6.1. of this data protection notice explains the use of cookies on the Facebook page of the Data Controller.
    • a. Scope of personal data processed with cookies.
      These cookies carry the unique identification number of the computer or device used for visiting the Website, the time and date of visiting the Website, the browsing time spent on the Website, the way of using the Website and the history of finding the Website.
    • b. Purpose of the data processing
      The Data Controller uses cookies collectively for identifying the Website visitors or users, administrating the “shopping cart”, to send shopping cart reminder e-mails, tracking the way of browsing of the Websites by the visitors and their preferences, and to enhance Website user experience, as well as to provide content related services on the Websites and the services offered to be provided by the Data Controller on the Websites (for instance to enable the Data Controller to filter the unlawful use or unlawful content from the Website).
    • c. The legal basis and duration of data processing
      Personal data is processed based on the consent of the Website visitor, which can be given by clicking on the “Accept”-button of the pop-up window on the Website; by clicking on “Change Settings” the Website visitor is able to choose among the options on the Cookie settings/policies site. Personal data is processed until the end of visiting the Website or until the consent is withdrawn. Cookies placed on the computer or device of the Website visitor will stay there until the user of the computer or device deletes them.
      The Data Controller collects the IP addresses of the Website visitors entering the Webpages based on its legitimate interest, without the specific consent of the visitor, for the purpose of ensuring for the Controller to provide content related services on the Websites and the services offered to be provided by the Data Controller on the Websites (for instance to enable the Data Controller to filter the unlawful use or unlawful content from the Website). The legal basis of the personal data processing in the framework of or related to content services provided on the Website might be the consent of the Data Subject, the legitimate interest of the Controller as well as safeguarding the fundamental rights to receive information and express opinions in compliance with the boundaries set by laws. If the collection of personal data is based on the essential legitimate interest the Data Controller has performed and may perform in the future a balancing test to collect and control that personal data in line with the GDPR and as the result of the assessment that Data Controller could establish its legitimate interest to data processing. The Data Controller shall provide information on the above to the Data Subject if request for information is submitted by the Data Subject according to the regulation of this Notice.
  • 2. How can you disable placing cookies on your computer or device?
    
    Website visitors can disable placing cookies on their computer or device by adequate browser settings. Further, the visitors of the Website can choose on the “Cookie settings/policies” site of the Website whether the functional, analytical, tracking or third party cookies may be enabled in the course of browsing the Website. The changes can be amended anytime on the ”Cookie settings/policies” site.
    However, it should be noted that disabling cookies on the computer or device may result that the user experience will be compromised; in such case, the visitor of the Website may not reach certain elements of the Website in the form as if the placing of cookies had been enabled.
    When disabling functional cookies, the Website visitor does not allow among others that we send him or her reminders about the products placed in the shopping cart, or that the Websites remember his or her language preferences etc.
    When disabling analytical cookies, the Website visitor does not allow among others that we analyse his or her activity on the Websites in order to display tailored content on the Website, or contact him or her with personalised offers at the contact points provided by him or her (if he or she provided such data, e.g. in the course of registration).
    When disabling Google AdWords tracking cookies, the Website visitor does not allow cookies to be placed on his computer in connection with advertisements, especially when clicking on advertisements.
    When disabling third party cookies, the Website visitor does not allow that third parties, in particular social media sites (e.g. Facebook, Google+ or Twitter) place cookies on his or her computer or device used for visiting the Website.
  
  
• II. 2. FOR WEBSITE ACCOUNT HOLDERS:
  Processing data for ticket purchasers
  
  
  • a. Scope of personal data processed
    First and last name, address, invoice name and address (when different from home address), e-mail address, telephone number, shipping name and address (optional). In the course of ticket sale, the date of purchase, the event to be visited with the purchased ticket, the place and date of the event, number and price of purchased tickets and the location of the places will be also registered.
    
    In the course of ticket purchase we also control payment information such as name of the card holder, last four digits of the bank card number, bank card type, expiry date and also the notification on the successful / unsuccessful transaction.
    
    For certain events, we sell personalized tickets, therefore when purchasing personalized ticket, it is required to provide the place and date of birth, address and mother’s maiden name in addition to the data listed above.
    
    In case of wheelchair users, personal data related to the reduced mobility and health condition will also be collected; unfortunately, we cannot proceed with the sale of the ticket without this additional information. Therefore, if the wheelchair user does not give his/her explicit consent to control such sensitive personal data, we will not be in a position to offer our services. The legal basis of such data processing is Art 6 (1) a) and Art. 9 (2) (a) of the GDPR.
  • b. Purpose of the data processing
    By purchasing a ticket, a contract for sale of tickets will be concluded between the Data Subject and the Data Controller.
    We may also inform you by e-mail about our parking spaces, directions, organiser's requirements (e.g. bag size)
    We collect and control the above bank card data with the aim of verifying that the purchaser and the card holder are the same person and in case the purchaser and the card holder are not the same person, excluding the possibility of misuse of the credit card / credit card fraud.
    
    For collecting the above sensitive data of wheelchair users, the purpose of data processing is to evaluate and attend the special needs of such data subjects.
  • c. The legal basis of data processing
    Processing of personal data related to sale of tickets is necessary for the conclusion of a contract for the sale of tickets between the purchaser and the Data Controller based on Art 6 (1) b) of the GDPR
    The processing of invoicing-related data is in compliance with the legal obligation pursuant to Article 6(1)(c) of the GDPR. In case of data necessary for the fulfilment of taxation obligations Act CL of 2019 on the order of taxation Section 78 (3) and 202 (1) shall apply. If the data are necessary for the fulfilment of the accounting obligations, Act C of 2000 on accounting sections 168-169 shall apply.
  • The data processed for the purpose of preventing misuse of the credit card /credit card fraud is necessary for the legitimate interests of the
  • d. Duration of data processing
    If the data are necessary for the fulfilment of tax obligations, they will be stored for 5 years calculated from the last year from that calendar year in which the tax should have been reported or in the lack of reporting in which the tax should have been paid.
    If the data are necessary for the fulfilment of the accounting obligations, retention period is 8 years.
    Data processed for the purpose of enforcement of claims and rights, fraud prevention and fraud management purposes will be retained for a general limitation period of 5 years from the date of deletion of the Simple registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be retained until the final conclusion of such proceedings.
    In case of wheelchair users, personal data related to the reduced mobility and health condition will also be collected; unfortunately, we cannot proceed with the sale of the ticket without this additional information. Therefore, if the wheelchair user does not give his/her explicit consent to control such sensitive personal data, we will not be in a position to offer our services. The legal basis of such data processing is Art 6 (1) a) and Art. 9 (2) (a) of the GDPR.
  
  Customer surveys
  • a. Scope of personal data processed
    Data provided by the Data Subject when purchasing a ticket (name, address, e-mail).
  • b. Purpose of the data processing
    To continuously improve our products and services and adapt them to your needs, we regularly invite our customers to participate in customer surveys. In doing so, the Data Controller uses the information you provide during the purchase process to contact you.
  • c. The legal basis of data processing
    Article 6(1)(f) of the GDPR -the processing of data is based on the legitimate interest of the Data Controller. The legitimate interest of the Data Controller is to inform Data Subjects about changes in products and services, to advertise the products and services and to carry out marketing activities. Survey data will be anonymised.
  • d. Duration of data processing
    6 months from the date of ticket purchase
• II. 3. FOR WEBSITE ACCOUNT HOLDERS:
  
  • a. Scope of personal data processed
    During the registration, for the purpose of creating a user account, the user shall provide his or her first and last name, e-mail address and a password. During the registration, the date of the registration and the IP address at the time of registration will also be collected. If the registration is created with Facebook profile, data processing pursuant to point II.6 of this Notice is also carried out
    If the Data Subject creates a user account or identifies him/herself for the Data Controller in another way (for instance purchasing a ticket on the Website) it is possible that the Data Controller connects all data collected in relation to the particular Data Subject, like the data collected when the Data Subject browsed the Website, newsletter tracking data, names, e-mail address, phone number, postal address, Facebook profile data, Google account information, demographic data related to the Data Subject, information on the interests and preferences of the Data Subject, online and offline transaction information, and any contact made with customer service.
  • b. Purpose of the data processing
    The purpose of data processing is the registration on the Website and the creation of a user account.
    The purpose of profiling is to carry out market research, including customer analysis, customer segmentation and running statistics. Furthermore, Data Controller can use this information for the purpose to identify the preferences and interests of the Data Subject to tailor the experience of the Website for the Data Subject and optimize the service.
  • c. The legal basis of data processing
    Processing of personal data related to the registration is based on the consent of the user pursuant to Art 6 (1) a) of the GDPR
    The legal basis of profiling purposes is the legitimate interest of the Data Controller according to Article 6(1)(f) of the GDPR. The Data Controller has legitimate business, economic interest to know the opinion of the users about the Website, the users’ purchases and habits via the Website, their preferences and other personal characteristics related to the services in order to develop the system in such a way which meets the users’ expectations and answers real market needs.
  • d. Duration of data processing
    Personal data related to registration will be retained for five (5) years from the deletion of the registration, In case of enforcing the rights and legitimate claims after the termination of the registration, provided that if civil, criminal, administrative or other official proceedings are initiated during this period, the data will be kept until the final conclusion of these proceedings.
    Personal data related to the registration may be amended at any time in the user account and the registration may be deleted by sending an e-mail with a request for deletion to the info@eventim.hu e-mail address.
    The Data Subject is entitled to object to the profiling at any time. In such case, the Data Controller may not control the personal data for such purpose
• II. 4. FOR NEWSLETTER AND DIRECT MARKETING SUBSCRIBERS: Data processing in relation to general newsletters
  • a. Scope of personal data processed
    When subscribing to receiving newsletter, the Data Subject shall provide his or her first and last name and e-mail address. When subscribing for the newsletter, the time and date of subscribing and the IP address at the time of subscribing will also be registered, furthermore, the Data Controller also collects newsletter tracking data.
  • b. Purpose of the data processing
    The Data Controller may send electronic message containing advertisement to the Data Subject’s email address, and give information regarding news, events, discounts, new functions, games, etc. When subscribing to the newsletter, it may be chosen on the http://www.eventim.hu/hu/hirlevel/ page in connection with which topics newsletters and in relation to which artist concert notification are wished to be received from the Data Controller. In addition, the Data Subject agrees that we may contact him or her with our advertisement within the framework of Google AdWords or Facebook remarketing campaign.
  • c. The legal basis and duration of data processing
    Processing of personal data related to newsletter and direct marketing is based on the explicit consent of the Data Subjects pursuant to Article 6(1)(a) of the GDPR which can be expressed by ticking the relevant checkbox. Data processing lasts until the consent is withdrawn, i.e. until unsubscribing.
    The Data Controller hereby notifies the Data Subjects that the newsletters sent to them carry tracking pixels which allow the Data Controller to prepare statistics regarding the successfulness or unsuccessfulness of marketing campaigns. The tracking pixel carried within the newsletter enable the Data Controller to track whether and when the addressee opened the newsletter, and which references of the email were opened by the Data Subject (newsletter tracking data). Collecting newsletter tracking data is used by the Data Controller to conduct research with the aim of general marketing and optimize the use of newsletters.
  Other data processing for direct marketing purposes (individual offers)
  • a. Scope of personal data processed
    Data provided by the Data Subject when purchasing a ticket (name, e-mail, address).
  • b. Purpose of data processing
    Once the data subject has purchased a ticket, the controller may send individual emails to the data subject about similar events, services and services, promotions (in some cases by post) and birthday emails. These individual emails are sent to the address provided at the time of ticket purchase.
  • c. The legal basis for data processing
    Article 6(1)(f) of the GDPR -the processing of data is based on the legitimate interest of the Data Controller
    The legitimate interest of the Data Controller is to inform Data Subjects about changes in products and services, to advertise the products and services and to carry out marketing activities.
  • d. Duration of data processing
    6 months from the date of ticket purchase
• II. 5. FOR INQUIRERS, COMPLAINANTS:
  • a. Scope of personal data processed
    In the course of complaint handling, the complainant shall provide personal data related to his or her previous purchase, in particular his or her first and last name, address or invoice address, phone number, delivery name and address, if different from the above, e-mail address and order number (if applicable). The phone number, the date and time of the call, the voice record, other personal data provided during the call is also collected and processed if the complaint is made over the phone.
  • b. Purpose of the data processing
    Personal data are processed by the Data Controller with the aim to handle related to complaints, questions, comments and problems arising in connection with ordered products.
  • c. The legal basis for the data processing
    Processing of personal data related to complaint handling is based on the consent of the Data Subject pursuant to Article 6(1)(a) of the GDPR.
    The Data Controller informs the Data Subjects that if they make a complaint over the phone the Data Controller records this phone conversation after providing preliminary notification to the Data Subject.
    The possible consequences of failing to provide the above data: the complaint cannot be made over the phone. The Data Controller allows the Data Subjects to make a complaint via email (info@eventim.hu) or by post at the address of 1139 Budapest, Váci út 91/A 3.em.. The Data Subject has to right to request the listening and deleting of the voice recording, which can be made at dataprotection@eventim.hu within the data retention period of the voice recording.
  • d. Duration of data processing
    The minutes, transcripts and responses will be retained for five (5) years from the time of the complaint, for enforcing the rights and legitimate interests of the Data Controller and of the Data Subject (or if the limitation period for enforcing rights is longer, then until the end of that period).
    The Data Controller retains the voice recording for three (3) months from registering the complaint. Once the retention period expires the data is erased.
    If the complaint is made via email and the complainant is not registered on the Website, the e-mail address of the complainant will be erased on the ninetieth (90th) day from the resolution of the issue, with the exception of unique cases when the legitimate interest of the Data Controller justifies the longer retention of the personal data, in which case erasure will be made when this legitimate interest ceases to exist.
• II. 6. FOR SIGNING IN WITH SOCIAL MEDIA ACCOUNT AND PRIZE GAMES:
  • a. Scope of personal data processed
    The Data Controller, during its activity may control the name and public profile photo of such users who registered on Facebook/Google+/Twitter/Pinterest/YouTube/Instagram etc. social media, and “liked” the Website of the Data Controller, for the purposes of sharing and liking some content, product and discounts of the Websites or the Websites itself.
    The Data Controller operates a fan page within website under https://www.facebook.com which can be found on https://www.facebook.com/Eventim.HU/ (the “Facebook fan page”). Facebook collects the personal data of the visitors of this Facebook fan page by using cookies and it generates anonym statistical data from them.
    Personal data collected on the Facebook fan page are as follows: demographic data (age, sex, marital status, profession); data concerning the interests of the visitors (buying habits, product and service preferences), geographical data.
    Facebook shares the above data with the Data Controller as anonym statistical data to enable the Data Collector as the administrator of the Facebook fan page to publish more targeted, relevant information for the page’s visitors.
    Facebook applies pop-up windows to notify the visitors of the page on the use of cookies and to the collection of the above personal data. Data Controller as the administrator of the Facebook fan page recommends to become familiar with the Facebook’s “Cookies & Other Storage Technologies” policy (available here: https://www.facebook.com/policies/cookies/) and the Facebook Data Policy (available here: https://www.facebook.com/about/privacy) prior to using on the Facebook fan page.
  • b. Purpose of the data processing
    The Data Controller processes personal data in the course of its activities on social networking sites, for the purpose of sharing or "liking" certain content, products, promotions or the website itself.
    From time to time the Data Controller publishes prize games on its Facebook fan page. For the purpose of managing these prize games, the Data Controller collects and controls surname, first name and e-mail address of participants of the game.
    The personal data of the players are collected and processed for the purpose of organising and managing prize games, especially for enabling the Data Controller to keep in contact with the participants in the games and to deliver the prize for the winners.
  • c. The legal basis for the data processing
    Processing of personal data related to social media sites is based on the voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the GDPR
    The collection of the personal data of the players participating in the Facebook prize game is based on the voluntary consent of the players, which is given by the applying to the prize game pursuant to Article 6(1)(a) of the GDPR.
  • d. Duration of data processing
    After the prize game is over and the prizes are delivered, the Data Controller deletes all personal data collected in relation to the prize game
• II. 7. FOR THOSE WHO SEND E-MAIL TO THE CORPORATE E-MAIL ADDRESSES WITH THE EXTENSION OF EVENTIM.HU
  • a. Scope of personal data processed
    The Data Controller may receive unsolicited e-mails, like spam messages or job applications at the corporate inbox; in which case the Data Controller controls personal data such as the sender’s e-mail address, name, other voluntarily provided personal data based on the voluntary consent of the person sending the e-mail.
  • b. Purpose of the data processing
    Reviewing of and responding to unsolicited e-mails.
  • c. The legal basis for the data processing
    Processing of personal data related to unsolicited e-mails is based on the voluntary consent of the Data Subject pursuant to Article 6(1)(a) of the GDPR.
  • d. Duration of data processing
    Depending on the content of the unsolicited e-mail, the data processing may last until the consent is withdrawn, or it will be erased without further delay (if the e-mail carries unlawful content or if it was sent in error).



• III. DATA PROCESSORS

The Data Controller may share (besides its own competent staff) the personal data with the below companies as data processors for the below purposes:

• - Delivery:
  GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: H-2351 Alsónémedi, Európa u. 2., Hungary; contact information: info@gls-hungary.com, phone number: +36 1 802 0265; https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat
  United Parcel Service Deutschland S.à r.l. & Co. OHG (seat: Görlitzer Straße 1, 41460 Neuss, Germany)
• - Online payment:
  KPS Payment GmbH & Co. KG (seat: Contrescarpe 75A, 28195 Bremen, Germany)
• - Hosting provider:
  CTS EVENTIM Solutions GmbH (seat: Contrescarpe 75 A, 28195 Bremen, Germany, e-mail: info@eventim.de)
• - Partners of the Data Controller (ticket sellers):
  Ticket seller partners of the Data Controller are listed on the http://www.eventim.hu/hu/outletek/ website.
• - For the purpose of sending newsletter and promotion e-mails:
  Optivo GmbH (seat: Wallstrasse 16, 10179 Berlin, Germany; contact information: +49 30 7680 780) - In individual cases, the Data Subject has the possibility to subscribe on the website to newsletters and mailings (in some cases sent by post) from certain promoters, their service providers or other third parties by giving the appropriate consent. For this purpose, the controller transfers the data subject's personal data to the relevant promoters, their service providers or other third parties and they will process it in their sole discretion at the own risk of the Data in accordance with the terms of their own privacy policy and subject under data protection legislation. Legal basis of the data transfer is Article 6 Para. 1 Sentence 1 lit. a) of the GDPR. the personal data will be processed on the basis of the consent of the Data Subject.
• - Event organizers:
  The personal data of the Data Subjects may be transferred to event organizers in case of some events. In such cases the exact data of the recipient event organizers will be given in a separate notice to the Data Subjects.
• - Other data transfer:
  In case of an exceptional authority request or request of other organizations, if authorized by the law, the Data Controller is obliged to provide information, communicate, transfer data or provide documentation, in particular, the Data Controller may make the personal data of the Data Subject accessible in case of an official request made by the court, the police; infringement of IP rights, property rights or other infringement of law or in case of reasonable suspicion of the above or in case of endangering or violating the Data Controller’s interests or the provision of its Services. In such cases the Data Controller transfers personal data to the requester – in the event it determined the exact purpose and scope of data – only to the extent necessary to achieve the purpose of the request.
• - Data transfer to third countries
  It may occur that the Data Controller transfers personal data to a service provider seating outside of the European Union, a so called “third country”. In case the personal data is transferred to a third country, the Data Controller guarantees that data transfer is only carried out to a country which is qualified as secure country by the European Commission. The Data Controller requires from all recipients of personal data to take appropriate security measures to protect personal data when transmitted to third countries, by applying the general data protection clause of Article 46 (2) of the GDPR.
• - Web Analytics Measurements
  Google Analytics (Google LLC (USA - Google Data Protection Office, 1600 Amphitheatre Pkwy Mountain View, California 94043), as an independent, external provider supports the independent measure of the frequency of visits and other web analytical data of the Websites. Detailed information on the data processing can be found at the following link: http://www.google.com/analytics. The Data Controller uses the data provided by Google Analytics solely for statistical purposes and to optimize the operation of the website.



• IV. WHAT ARE YOUR RIGHTS RELATED TO THE DATA PROCESSING?

The detailed rights and remedies of the individuals – which include Employees and the people listed in Section 1 – are set forth in the applicable provisions of the GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Employer provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.




In the course of Data processing, the Data Subject is entitled especially to the rights set out in this point.

o Right to information and access
o Right to rectification
o Right to deletion
o Right to restriction of data processing
o Right to data portability
o Right to object
o Right to withdraw consent

Right to information and access

The Data Subject is entitled to receive information about the facts related to the data processing prior the start of the data processing.
The Data Subject is entitled to request information on his or her personal data and on the processing thereof. The Data Controller provides the opportunity to the Data Subject to receive information on the personal data processed and to receive copy or extract of the documents containing the personal data.
The Data Subject is entitled to receive information as to whom, for which purpose and in what scope his or her personal data processed by the Data Controller have been forwarded.
The Data Controller is obliged to provide information regarding the personal data and the processing thereof. The Data Controller is obliged to provide information in writing and in plain language without undue delay, but within one (1) month from the submission of the request at the latest. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than within one (1) month on the reasons of lack of taking measures, and inform the Data Subject on the possibility of the legal remedy before the court and the Hungarian National Authority for Data Protection and Freedom of Information.

Right to rectification

The Data Subject is entitled to request the rectification and correction of his or her personal data. Furthermore, having regard to the aim of the data processing, he or she is entitled to request the supplementation of the incomplete personal data. The Data Subjects are recommended to review their personal data from time to time in order for the optimal use of the services provided by the Data Controller and if necessary, to contact the Data Controller to clarify their data as described above.
Within five years of the death of the Data Subject the rights of access, rectification, restriction and deletion shall be exercised by the person authorized by the Data Subject in a public document or a private document with full probative value placed at the Data Controller or failing that, close relatives of the Data Subject shall exercise these rights.

Right to deletion

The Data Subject is entitled to request the deletion of his or her personal data:
a) for which the Data Controller does not have the consent or statutory authorization to control (right of objection),
b) that are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
c) regarding which the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing,
d) that have been unlawfully processed,
e) that have to be erased for compliance with a legal obligation.

Right to restriction of data processing

Instead of deletion, the Data Controller restricts the processing of personal data in the following cases:
a) upon the request of the Data Subject, when the Data Subject challenges the accuracy of the personal data; in such case the restriction lasts until the Data Controller verifies the accuracy of the personal data, or
b) when the Data processing is unlawful and the Data Subject opposes the deletion of the personal data and requests the restriction on the use of the personal data instead, or
c) when the Data Controller no longer needs the personal data for the purpose of data processing, but the Data Subject requires that for its legal interests, or
d) when the Data Subject has objected to data processing, but it is necessary to determine, whether the legal interests of the Data Controller override those of the Data Subject.

The Data Controller will communicate any rectification or deletion of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller informs the individual about those recipients if he/she so requests.

Right to data portability

The Data Subject is entitled to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and is entitled to transmit those data to another Data Controller.

Right to object

The Data Subject is entitled to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data which is necessary for reasons of public interest or for carrying out a task falling within the scope the Data Controller’s public powers or for enforcing the legal interests of the Data Controller or a third party. In case of objection, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or which relate to filing, enforcing or defence of legal claims.

Where personal data is processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such reason, which includes profiling if it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Right to withdraw consent

The Data Subject may withdraw his or her consent without reasoning given to the data processing at any time. Withdrawal of consent does not affect the legitimacy of the data processing based on consent given prior to withdrawal.




• V. WHO IS THE DATA PROTECTION OFFICER?

The Data Controller designates a data protection officer, having regard to the fact that ticket sale service provided by the Data Controller consists of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale.
The data protection officer is Mr. László Kiss, who can be contacted directly at the following e-mail address: dataprotection@eventim.hu.


• VI. HOW CAN YOU EXERCISE YOUR RIGHTS?

The Data Subject may submit his or her request for information, correction, deletion or locking to the following e-mail address: dataprotection@eventim.hu.
In case the Data Subject contacts the Data Controller with respect to this Notice, asks questions, makes comments, this information will be retained and used by the Data Controller for the purpose of providing adequate answer.
The Data Controller is obliged to provide information regarding the request for correction, locking or deletion in writing and in plain language without delay, but no later than within one (1) month from the submission of the request. In case the Data Controller does not carry out measures based on the request of the Data Subject, then the Data Controller shall provide information without delay, but no later than one (1) month on the grounds of measures, and inform the Data Subject on the possibility of the legal remedy to turn to the court and the Hungarian National Authority for Data Protection and Freedom of Information.
The Data Controller informs the Data Subject and those to whom personal data has been forwarded for the purposes of data processing on the correction, locking and deletion. The information may be omitted if it does not infringe the rightful interest of the Data Subject taking into consideration the purpose of the data processing.




• VII. HOW CAN YOU SEEK LEGAL REMEDY?

In case of any disagreement between the Data Subject and the Data Controller in connection with the data processing, it is advisable to contact the responsible personnel of the Data Controller before taking any legal actions.
In order to remedy the violation of his or her rights, the Data Subject is entitled to turn to the courts or to the Hungarian National Authority for Data Protection and Freedom of Information.
When the Data Subject turns to the court, he or she is entitled to initiate a litigation at the competent court within the geographical area in which the Data Subject resides or has his or her habitual residence, instead of the competent court based on the seat of the Data Controller.
Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:

Address: 1055 Budapest, Falk Miksa u. 9-11, Hungary
Postal address: 1363 Budapest, Pf.: 9.
Phone number: +36 (1) 391-1400
E-mail address: ugyfelszolgalat@naih.hu
Webpage: www.naih.hu




• VIII. HOW CAN WE UPDATE THIS NOTICE?

The Data Controller reserves the right to modify this Notice in the future at its discretion in particular in case of the change of law, to ensure that the Notice provides relevant and adequate information about the collecting and processing of the personal data of the Data Subjects.

Dated: Budapest, June 1, 2023